Over the past decade, numerous social, technological and political pressures have created an array of new risks organizations must address. Data management requirements, cybersecurity threats, political disruption and social responsibility expectations, among other issues, have created a volatile mix of risks requiring careful consideration of even the most basic corporate decisions. In just the last year, for example, the global pandemic shattered the boundaries of the traditional office and amplified data management and privacy concerns that have been coming to a head for years.
Risk managers tasked with understanding the complexities of today’s world are increasingly expected to leverage their interdepartmental connections and experience to coordinate responses for their organizations. Similarly, companies are calling on key legal leadership positions such as general counsel and chief legal officer to address not only a more complex legal risk landscape, but overarching business risks as well.
As the line between business and legal risks continues to blur—and while the legal department expands its role to assist in business strategies, compliance mandates and data security responses—risk professionals will need to work more closely with their organization’s legal leaders. This evolving dynamic presents an opportunity to build a new strategic alliance while leveraging the experience of the legal department.
According to the 2021 ACC CLO Survey, 95% of participating organizations view the legal department as responsible for managing legal risk. The survey, based on responses from 947 chief legal officers (CLOs) at organizations spanning 44 countries, also showed that a specific risk management function is responsible for handling legal risks in about one-third of participating organizations (up six points from 2020), and 28% of CLOs noted that the finance or treasury department is also responsible (up five points from 2020).
These responses clearly indicate that managing risk is already a collaborative effort between risk management, legal and other areas of the business, and they suggest that risk professionals across the company should seek opportunities to collaborate in some capacity with their CLO or general counsel to manage legal and enterprise risks, which many in the C-suite are already doing.
“When we look at risk in general, I think our business partners are expecting us to help them understand the risks, not just from a legal perspective, but from the risk perspective,” said Scott Thayer, chief legal officer and corporate secretary at Dawn Foods, during a recent webinar. “They’re looking at what risks are out there that are going to impact our business strategy…[and] impact our ability to deliver and execute against our goals and objectives. So, it’s managing all those risks together in a holistic approach and bringing all of that, whether it’s identified through enterprise risk management processes or others, into a common frame that helps the business leaders understand risks and… [not just] legal risk.”
To meet these challenges, organizations must have proper risk assessment and mitigation processes in place to account for threats that could harm the bottom line. While this has traditionally been the responsibility of risk managers, it is increasingly clear that organizations benefit significantly when risk and legal professionals coordinate their efforts.
Areas of Collaboration
Given their increasingly overlapping responsibilities, risk officials and legal officers can partner on a variety of risk initiatives. But where should they start? The ACC CLO survey offers some insights that risk professionals and legal officers can use to establish priorities.
The survey showed that 61% of CLOs rank industry-specific regulation as the number one challenge they face, followed by data protection privacy rules (53.6%), political changes (38%, up eight points from 2020), and mergers and acquisitions (20.8%). CLOs’ concern about M&A risks is yet another indication that major business decisions and strategic growth plays put a premium on the legal team’s input and expertise when it comes to risk mitigation.
Taking the list at face value, we can see that risk managers and legal leaders have plenty to talk about. For example, regarding industry-specific compliance challenges, organizations that fail to meet regulatory requirements may incur stiff penalties and fines, but they can also face more nebulous risks and consequences. While the scope of an incident has the most direct impact on regulatory action, outcomes can be exacerbated by unfavorable media coverage of events and the subsequent corporate response. Working together, risk managers and legal leaders can combine their understanding of the direct regulatory fallout, the potential reputational risks, and the threats to the bottom line to create more effective and comprehensive compliance workflows, incident response plans, and business continuity planning. For example, they might collaborate on vetting new processes to increase defensibility against litigation and compliance threats. They might also work with the executive team on information governance, breach responses and compliance checklists to ensure stricter adherence to data privacy regulations.
Collaboration between the risk management and legal functions can also help companies considering responses to cultural or political issues. Fifteen percent of CLOs say their organization has been pressured by investors to take (or refrain from taking) a stand on political or cultural issues over the past year. While the legal risks in this scenario may be less clear and more difficult to quantify than compliance risks, they are still important to consider, and the two disciplines can help each other identify possible blind spots. A significant number (19%) of respondents to the ACC survey reported overseeing a variety of additional functions, including corporate development, employee relations, insurance and intellectual property. The sheer range of these challenges further emphasizes the need for collaboration and interdisciplinary expertise to effectively address them.
How Risk Professionals Can Prepare
Risk assessment is twofold—not only do risk management and legal need to work closely with the rest of the organization to manage overarching business risk, but they remain on the hook for governance, risk and compliance mandates within their own departments. Professionals who can creatively and successfully solve governance, risk and compliance problems within their own department will be best-positioned with the strategies and tools that work internally to solve broader, cross-functional challenges that extend across the organization. As the relationship between risk managers and legal professionals evolves and their roles become more closely intertwined, risk professionals need to be flexible, adaptive and proactive. They must always be ready to learn as new threats emerge and others evolve.